Security Roundup - 2017-11-24

LavaRand - Leveraging Real World Randomness. Did you know that CloudFlare harvests randomness from lava lamps as an entropy source? Using a real world source of entropy, they augment the pseudo-random pool on their servers with actual randomness. They’ve recently posted this article on their motivations behind going through the trouble to set this up.

Fake Symantec Blog Spreading Malware. A fake security blog attempting to look like the Symantec blog has been discovered by researchers. The site has been taken down, but contained a post to attempt to incent readers to download a ‘security tool’, which is actually a variant of the Proton credentials stealer.

Vulnerability Equities Process Transparency. The Whitehouse has announced additional transparency around the factors that play into whether or not government agencies notify vendors about discovered vulnerabilities. Mozilla feels it is a step in the right direction but several severity researchers are skeptical of the announcement. Notable, Bruce Schnier who suggests this is just additional window dressing and time will tell), Adam Shostack who points out the large list of threats [which are not considered factors in the VEP]https://adam.shostack.org/blog/2017/11/vulnerabilities-equities-process-and-threat-modeling/), and Sophos Security points out that this year we have seen plenty of non-disclosed vulnerabilities stolen and weaponized.

Session Recording Tools Scoop Up Excessive Data. Use a service that records what user’s are doing on your site (for analytics and usage review)? They may be scooping up much more information than expected, since many of them record all keystrokes and mouse clicks, including stuff that user’s may not actually intend to send to the site and in some cases researchers observed these scripts scooping up passwords, credit card numbers, and PII.

New OWASP Top 10. The Open Web Application Security Project (OWASP) has released a new version of their top 10 vulnerabilities this year. Unsurprisingly, Injection attacks is still listed as the #1 risk for web applications. However, we have 3 new entries. The first is XML External Entities (XEE) attacks, where XML parsers (in APIs, or otherwise) can potentially contain instructions and load external content allowing for DoS attacks or remote code execution. The second is Insecure Deserialization, which honestly feel very similar to injection and XEE, but targeted at object de/serialization. In this scenario, attackers can target deserialization of complex objects to try and invoke remote code execution. Finally, we have Insufficient Monitoring and Logging where not knowing what is going on greatly decreases the reaction time of defenders and increases the likelihood of successful exploitation by attackers.

Leveraging Multiple Vulnerabilities To Achieve Exploitation. Now that you have familiarized yourself with the new OWASP top 10, read this article on how they leveraged a number of these to chain their way to remote code execution.

Github starts highlighting out of data software. Github has taken a major step forward in security by helping people know when they are using software packages that are out of date (‘Using Components with Known Vulnerabilities’ is #9 on the OWASP Top 10). They’ve started with Ruby and Javascript, which covers 75% of projects with detectable dependencies today.

Misconfigured API access allows for data harvesting. Security researchers have discovered that many developers using the Twilio messaging API have hard coded credentials in their apps, effectively making it possible for other apps to collect Twilio metadata without a user noticing. At time of writing, this could impact more than 600 apps for both Android and iOS. This extends to other APIs as well, such as Amazon’s S3 access.

Security Roundup - 2017-11-10

Digitally Signed Malware Surprisingly Common. Code signing is a method where a legitimate certificate is used to sign an application such that operating systems will trust it. However, in some cases we have seen malicious packages that are correctly signed. Originally tied to nation state attacks, and criminal enterprises, researchers have shown that this has actually happened more often than expected, having discovered 189 instances going back to 2003. 109 of the digital certificates used to sign these malicious apps are still valid. Some of these appear to have previously signed benign software, meaning that an organization may have lost control of their private keys. Related research have also published results on broken trust in digital key signing and Anti Virus. The most shocking is that something signed (even if using an expired key, or if the signature doesn’t match), will cause a number of Anti Virus programs to mark the files as benign, abusing trust. But perhaps more interesting is the ability to hijack signatures, which one researcher has demonstrated.

Mobile Pwn2Own Competition Results. Pwn2Own is a yearly competition in which hackers compete to discover zero days in browsers. Last year it expanded into Virtual Machines, and this year it has its own competition for Mobile Devices. A large number of bugs were discovered for devices including the Samsung Galaxy S8 and the iPhone 7, all of which have been privately disclosed to the manufacturers to create patches. You can read up on details for day one and day two.

Spam And Phishing Q3 Report. Want to stay on top of the latest spam and phishing techniques? Kaspersky has released their Q3 observations. Highlights are messages trying to coerce people into cryptocurrency get rich quick schemes and free stuff (from flights to phones).

Account Takeovers. Google has released research into the root cause of account takeovers. While not particularly surprising that a fair portion of it is due to credential reuse (use unique passwords everywhere!), a fair amount is gathered via phishing and keyloggers. Phishing attacks appear to increasingly try to collect other information, to help circumvent other protections.

Companies Actively Trying To Work Around Browser Security Warnings. What’s worse than a company not securing a form over HTTPS? Actively working around browser protections to try to pretend things are all right. Check out this….. Interesting story of the amount of effort one company put into evading browser checks rather than just integrate HTTPS.

Size Matters Not. At least in terms of your risk to exploit. Regardless of what your website actually does, it is valuable to an attacker in terms of resources. Even if you don’t have anything to directly steal, an attacker can leverage your infrastructure to run phishing attacks, malvertisements, or spam with less risk to themselves (and more risk to you!).

DarkVNC Deep Dive. And for those that like deep dives, check out this article going over an exploit to infect someone with ‘DarkVNC’, a malicious VNC client so attackers can view and control a machine remotely.

Security Roundup - 2017-11-03

CyberSecurity Month Wraps Up. And WeLiveSecurity has finished up their expanded coverage of Twitter conversations. You can check out Part 3, wherein they cover “CyberAwareness” and Part 4 where they talk about the Internet of Things.

Hardware Hacking. Speaking of the Internet of Things, this week brings us an interesting article from a Pentester, going over his view on hardware hacking. Covering a number of attack vectors we have seen over the last year (and no surprise that outdated software is #1 in the list), but also covers more interesting stuff for those that have physical access.

Terrifying USB Find. I know this week was Halloween, but this news about a USB drive containing plaintext files on Heathrow Airport’s security was downright terrifying. Items included, but are not necessarily limited to, details about security badges, patrol routes, and even travel routes for the Queen and other traveling dignitaries.

Google’s Recaptcha Broken. Google’s system to try and distinguish people from robots has been broken again. This time, researchers have leveraged the improvements in speech to text engines to solve ~85% of captchas in ~5.4 seconds on average.

“Smart” Locks. Amazon has recently announced a locking system that would allow people to deliver things straight into your home. This is a risky proposition, and MalwareBytes gives some good reasons why, including security vulnerabilities and accidentally getting locked out of your own home.

Chrome to remove Public Key Pinning. Chrome developers have signaled their intention to remove Public Key Pinning (PKP) support from the browser in 2018. PKP was intended to be a method in which an organization can specify which HTTPS certificated are used to serve the site. However, in practicality they have been difficult to roll out, with a misconfiguration making it possible to have an outage until the specified timeout. Google now advocates the usage of certificate transparency, which they have made mandatory, to detect miss-issuance of certificates and protect users from them.

Dell Loses Control of Update Domain. Earlier this month, we learned that Dell lost control of a domain designed to help customers recover from malware. Ironic in that it was taken over by malware devs and likely used to serve the same exploits it was meant to help customers deal with.

More Malicious Chrome Extensions. The latest appears to be spread by phishing attacks, and is used to harvest any data posted to forms, like usernames, passwords and people’s Facebook updates. Malware Analysis Via API Calls. MalwareBytes has seen more obfuscation of malware making static analysis harder for malware devs. Rather than trying to reverse engineer the outer layer, they go into a technique of using dynamic analysis of system api calls doing.

Security Roundup - 2017-10-27

China outpaces USA in terms of Vulnerability Disclosure. When vulnerabilities are disclosed, it looks like China rounds up details faster than the USA, especially in terms of uncoordinated releases, where the China National Vulnerability Database has details almost 5.5X faster than the the US National Vulnerability database. The difference? NIST does analysis and aggregation of publically available and/or voluntarily submitted information, vs CNNVD’s more proactive stance to monitor various outlets and produce details as quickly as possible for companies to make educated decisions.

Duhk, Duhk, Goose. Another named vulnerability has made the rounds with the existence of DUHK (Don’t Use Hard-coded Keys). DUHK is made possible by the usage of hard coded (hence the name) encryption keys used in a number of security devices, including a number of VPNs. However, the firmware for these devices is usually available for download, allowing attackers to extract the keys and then compute shared secrets and decrypt what should be encrypted traffic.

Google Likes To Play…. Dangerously. Google has been dealing with a number of Play store app issues over the last year. While they have taken a number of steps to deal with malicious apps they have also just invited further scrutiny, this time by starting a bug bounty program specifically for certain apps in the app store. Interesting Android App developers are eligible to opt in to this program, to further advance Google’s goal of increased Android app security.

HaveIBeenPwned API Hackathon. Troy Hunt of HaveIBeenPwned has challenged people to build something interesting with his APIs. Check out the comments for some interesting things that have already been completed!

Massive PII Data leak from South Africa. Troy also disclosed a large leaked dataset containing PII information. His article details the various things he did (and help he received) in identifying the likely source of data (South Africa), as well as details on how bad it is (PII and records for children and teens).

CERT Guide To Vulnerability Disclosure. CERT has released a massive 121 page guide on coordinated vulnerability disclosure. Thankfully, Hacker provides a summary. The summary of the summary is that the document goes over how to ensure that the least amount of harm is done to the public, while minimizing the amount of harm attackers can provide. Ultimately, it is beneficial for vendors to run responsible disclosure programs, to ensure that researchers can report findings to the appropriate channels, confident that there will be a response, allowing vendors to quickly resolve rather than researchers feeling they should create a media sensation to drive fixes.

Bad Rabbit. The ransomware making big headlines this week was Bad Rabbit. Using a fake flash update to get itself on victim computers, Bad Rabbit uses the EternalRomance vulnerability to try to spread laterally in a network, as well as using a set of hardcoded credentials to try to brute force SMB filesystems.

IoT Botnets still threatening. Checkpoint security provides details on a new IoT botnet they have been tracking, believing millions of bots may have been recruited providing plenty of DDoS capability. Further news seems to indicate that individuals with access to this botnet may be gearing up to weaponize it.

Security Roundup - 2017-10-13

Credit Unions Serving Malicious Ads. Equifax issues continue this week, with one of their ad providers serving malware. While it is true that Equifax itself was not hacked, this further erodes trust if their supply chain is putting visitors at risk. Not to be left out, Transunion was also noticed to have the same problem.

Supply Chain Attack Rundown. Attacks like the above leverage the supply chain of services that a vendor uses. Malvertisements are nothing new, but supply chain attacks are increasing in both sophistication and frequency. Crowdstrike provides a brief rundown for anyone needing to catch up.

KnockKnock (but quietly). A brute force attack (but a sneaky one) against Office 365 accounts was discovered by researchers. KnockKnock, as it is called, was a targeted attack against a specific set of accounts for a specific set of companies using Office 365. The attack appears to have been spread out and coordinated across a wide number of ips. Attackers also singled out senior and/or long term employees, perhaps hoping they would be more likely to have access to sensitive information.

Attackers abuse overdraft functionality to milk ATMs. Follow along with this story, of attackers that social engineered their way into a bank’s infrastructure, stuck around, and then used their privileges to create new accounts and withdraw millions of dollars by abusing overdraft protection settings.

DNS requests could compromise your machine. In this week’s terrifying news, a Windows CVE was just patched that allowed a malicious DNS response to trigger remote access to someone’s machine. This applies in a number of scenarios, like using internet from a coffee shop, or from the airport. Full details can be found here.

Magento eCommerce Roundup. Lots of Magento related news this week, including Sucuri’s deep dive into a credit card stealing malware ring, this Detectify blog about how bad patching cadence is for some Magento users,and this announcement about PoC code for two patched exploits.

Disqus customer data exposed. Company promptly addresses. Disqus was made aware customer data being available this week, compromising 17.5 million accounts from 2007 to 2012. Overall, the company has excelled in their response. In under 24 hours, Disqus had accepted a report, validated the findings, reset user passwords and contacted customers. Their expedient behavior and transparency has blown away Troy Hunt, owner of HaveIBeenPwned.com and overall raised the bar for how to handle breach disclosures. Of course, user’s should make sure they are not reusing their passwords, which would leave them open to a credential stuffing attack.

Page 6 of 23